my Stretch desktop inside the AirStation LAN showed that can also now
ping to the PI. This represents major progress.
However, I still cannot ssh from the Stretch desktop to the PI (although
I still CAN ssh from the firewall to the PI, and I can still ssh from
the Stretch desktop to the firewall).
My network had an otherwise quiet moment a few minutes ago, and I was
able to try the ping test and note that, when pinging 192.168.1.1 the
light on the ethernet port on the PI does not flash, as I would expect,
but when pinging to 192.168.1.6 the ethernet ports on both the PI and
the firewall flash. I take this as evidence that what Pascal said might
be happening, is happening -- the AirStation for some reason still
doesn't know it can reach 192.168.1.6 directly and so is sending packets
to 192.168.1.1 for forwarding to 192.168.1.6 -- and the firewall machine
is obliging, but that is only working properly for ping packets and not
for TCP protocols like SSH.